THREAT LEVEL - HIGH
09-06-2026
High Level – New Check Point VPN Authentication Bypass Actively Exploited in the Wild
Threat Level Description
IthacaLabs has maintained the Threat Level (High) adding a new observation:
An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
Description
We have observed active exploitation of a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol.
Successful exploitation grants an unauthenticated remote attacker an authenticated VPN session, though additional post-authentication activity is required to reach internal resources or escalate privileges. In practical terms, the vulnerability removes the primary barrier protecting the network perimeter. Once inside the VPN, an attacker is positioned to move laterally, enumerate internal systems, and stage follow-on attacks.
The flaw, tracked as CVE-2026-50751 (CVSS 9.3), is a logic weakness in certificate validation that lets an attacker establish a VPN session without a valid password, effectively bypassing authentication.
A second identified flaw, CVE-2026-50752 (CVSS 7.4), is a certificate-validation condition in IKEv1 that can allow a man-in-the-middle attack on site-to-site VPN connections under specific conditions. This vulnerability has not been observed exploited in the wild, but patching is still advised.
Our Advisory and Managed Services, including our Security Operations and Technology Resilience lines, can help safeguard your organization against such threats.
Through proactive monitoring, threat detection, and incident response, our services are designed to keep your systems secure, resilient, and prepared for evolving cyber risks. We advise all organizations to remain vigilant and regularly review their cybersecurity postures.
Affected Products:
- Security Gateways R82.10 (JHF Take ≤19), R82 (JHF Take ≤103), R81.20 (JHF Take ≤141), R81.10 (EOS), R81 (EOS), R80.40 (EOS)
- Spark Firewalls R80.20.X (EOS), R81.10.X, R82.00.X
Note: Only devices with the User-ID Authentication Portal enabled are at risk.
Recommendation(s)
You should apply all vendor-provided security patches immediately to mitigate the risks posed by these vulnerabilities.
- Upgrade R82.10 to Jumbo Hotfix Take 20 or later
- Upgrade R82 to Jumbo Hotfix Take 104 or later
- Upgrade R81.20 to Jumbo Hotfix Take 142 or later
- Upgrade R81.10.X / R82.00.X (Spark) to R81.10.17 / R82.00.10
If patching is delayed, implement the following workarounds:
- Disable IKEv1 for remote access and enforce IKEv2 authentication via Global properties
- Remove support for legacy Remote Access clients on gateway configuration
- Set Machine Certificate Authentication as mandatory for all remote access connections
- Audit VPN logs back to May 7, 2026 for suspicious IKEv1 authentication events
- Monitor for Qilin ransomware indicators (ELF binary downloads, Tox protocol traffic, C2 beaconing)
You should understand the importance of applying security updates with urgency, regardless of organizational size. Implementing an effective patch management strategy, enabling comprehensive event logging, and actively monitoring security events are critical to protecting business-critical assets. A comprehensive risk management approach should include regular penetration testing, at least annually and after significant system changes, to ensure continued compliance with security best practices and industry regulations.
Threat Level Description:
Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
References:
CVE-2026-50752 VPN site to site certificate bypass vulnerability in deprecated IKEv1 key exchange
